What goes?

Cert looks OK to me
--
Chris

On 11/09/2023 00:28, Chris Townley wrote:
> What goes?
>
> Cert looks OK to me

Sorry newsreader bu##ered my message

I cannot get to VSI Forum, although in date, says certificate has been
cancelled, but I cannot see anything wrong

--
Chris

On 9/10/2023 7:35 PM, Chris Townley wrote:
> On 11/09/2023 00:28, Chris Townley wrote:
>> What goes?
>>
>> Cert looks OK to me
>
> Sorry newsreader bu##ered my message
>
> I cannot get to VSI Forum, although in date, says certificate has been
> cancelled, but I cannot see anything wrong

I tried:

FF -> cert revoked
Chrome -> worked
FF again -> worked

??

Arne

On 11/09/2023 00:42, Arne Vajhøj wrote:
> On 9/10/2023 7:35 PM, Chris Townley wrote:
>> On 11/09/2023 00:28, Chris Townley wrote:
>>> What goes?
>>>
>>> Cert looks OK to me
>>
>> Sorry newsreader bu##ered my message
>>
>> I cannot get to VSI Forum, although in date, says certificate has been
>> cancelled, but I cannot see anything wrong
>
> I tried:
>
> FF -> cert revoked
> Chrome -> worked
> FF again -> worked
>
> ??
>
> Arne
>
Neither Chrome not Firefox would let me in, mind it was Kaspersky that
stopped me, and it wouldn't let me override.

I might get onto their wonderful support desk in the morning...

--
Chris

On 9/10/2023 9:11 PM, Chris Townley wrote:
> On 11/09/2023 00:42, Arne Vajhøj wrote:
>> On 9/10/2023 7:35 PM, Chris Townley wrote:
>>> On 11/09/2023 00:28, Chris Townley wrote:
>>>> What goes?
>>>>
>>>> Cert looks OK to me
>>>
>>> Sorry newsreader bu##ered my message
>>>
>>> I cannot get to VSI Forum, although in date, says certificate has
>>> been cancelled, but I cannot see anything wrong
>>
>> I tried:
>>
>> FF -> cert revoked
>> Chrome -> worked
>> FF again -> worked
>>
>> ??
>>
> Neither Chrome not Firefox would let me in, mind it was Kaspersky that
> stopped me, and it wouldn't let me override.
>
> I might get onto their wonderful support desk in the morning...

There is something going on with that site.

I tried again.

FF gives cert revoked every time now.

Chrome works. And say that cert expire Tuesday, September 19, 2023 at
7:59:59 PM.

And I do not use Kaspersky.

Arne

On Sunday, September 10, 2023 at 9:56:39 PM UTC-4, Arne Vajhøj wrote:
> I tried again.
>
> FF gives cert revoked every time now.
>
> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
> 7:59:59 PM.
>
> And I do not use Kaspersky.

https://www.ssllabs.com/ssltest/analyze.html?d=forum.vmssoftware.com&latest reports "Revoked INSECURE". So somebody should contact VSI and ask them (if they don't see it and fix it first).

On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
> There is something going on with that site.
>
> I tried again.
>
> FF gives cert revoked every time now.
>
> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
> 7:59:59 PM.

I tried via work.

Chrome works.

FF does not work but gives a different error:

"Bad Server Certificate" and certificate expiration is 11-Nov-2284 07:08:23.

WTF??

Arne

On 11/09/2023 03:34, Arne Vajhøj wrote:
> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>> There is something going on with that site.
>>
>> I tried again.
>>
>> FF gives cert revoked every time now.
>>
>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>> 7:59:59 PM.
>
> I tried via work.
>
> Chrome works.
>
> FF does not work but gives a different error:
>
> "Bad Server Certificate" and certificate expiration is 11-Nov-2284
> 07:08:23.
>
> WTF??
>
> Arne
>
>
Every certificate contains a URL for a certificate revocation list
(CRL). So if a certificate is compromised, for example because its
private key is stolen, it can be revoked.

What you are seeing is the fact that Chrome and Edge don't check the CRL
but FF does

Dave

Den 2023-09-11 kl. 10:02, skrev David Wade:
> On 11/09/2023 03:34, Arne Vajhøj wrote:
>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>> There is something going on with that site.
>>>
>>> I tried again.
>>>
>>> FF gives cert revoked every time now.
>>>
>>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>>> 7:59:59 PM.
>>
>> I tried via work.
>>
>> Chrome works.
>>
>> FF does not work but gives a different error:
>>
>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284 07:08:23.
>>
>> WTF??
>>
>> Arne
>>
>>
> Every certificate contains a URL for a certificate revocation list (CRL).
> So if a certificate is compromised, for example because its private key is
> stolen, it can be revoked.
>
> What you are seeing is the fact that Chrome and Edge don't check the CRL
> but FF does
>
> Dave

The page https://forum.vmssoftware.com/ opens just fine for me.
And I can read entries in the forum (the "Last VSCode..." post).

When clicking "Login" at the top right, I get the login page.
But when clicking the Login button on the login page, it just hangs.

Win11 and the latest FF.

FWIW...

Jan-Erik.

On 11/09/2023 11:17, Neil Rieck wrote:
> On Monday, September 11, 2023 at 5:48:03 AM UTC-4, Jan-Erik Söderholm wrote:
>> Den 2023-09-11 kl. 10:02, skrev David Wade:
>>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>>> There is something going on with that site.
>>>>>
>>>>> I tried again.
>>>>>
>>>>> FF gives cert revoked every time now.
>>>>>
>>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>>>>> 7:59:59 PM.
>>>>
>>>> I tried via work.
>>>>
>>>> Chrome works.
>>>>
>>>> FF does not work but gives a different error:
>>>>
>>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284 07:08:23.
>>>>
>>>> WTF??
>>>>
>>>> Arne
>>>>
>>>>
>>> Every certificate contains a URL for a certificate revocation list (CRL).
>>> So if a certificate is compromised, for example because its private key is
>>> stolen, it can be revoked.
>>>
>>> What you are seeing is the fact that Chrome and Edge don't check the CRL
>>> but FF does
>>>
>>> Dave
>> The page https://forum.vmssoftware.com/ opens just fine for me.
>> And I can read entries in the forum (the "Last VSCode..." post).
>>
>> When clicking "Login" at the top right, I get the login page.
>> But when clicking the Login button on the login page, it just hangs.
>>
>> Win11 and the latest FF.
>>
>> FWIW...
>>
>> Jan-Erik.
>
> The good folks at VSI might have been changing things -BUT- still have a potential problem.
>
> As of 2023-09-11 (6:07 EDT)
>
> This site: https://vmssoftware.com/
> uses a certificate with an issue date of Sept-06, 2023 and employs a common name of "vmssoftware.com"
> (no problem here)
>
> This site: https://forum.vmssoftware.com/
> uses a wildcard certificate with an issue date of Sept-18, 2022 and employs a common name of "*.vmssoftware.com"
> (will expire on Sept-19, 2023)
>
> Neil Rieck
> Waterloo, Ontario, Canada.
> http://neilrieck.net/OpenVMS.html

Acknowledged on the forum:

Thank you for reporting the issue. We already know about it and hope to
have it fixed by the end of the day. We will let everyone know once we
are done.

Thank you,

VSI Website Support Team

Chris

--
Chris

Den 2023-09-11 kl. 12:48, skrev Chris Townley:
> On 11/09/2023 11:17, Neil Rieck wrote:
>> On Monday, September 11, 2023 at 5:48:03 AM UTC-4, Jan-Erik Söderholm wrote:
>>> Den 2023-09-11 kl. 10:02, skrev David Wade:
>>>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>>>> There is something going on with that site.
>>>>>>
>>>>>> I tried again.
>>>>>>
>>>>>> FF gives cert revoked every time now.
>>>>>>
>>>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>>>>>> 7:59:59 PM.
>>>>>
>>>>> I tried via work.
>>>>>
>>>>> Chrome works.
>>>>>
>>>>> FF does not work but gives a different error:
>>>>>
>>>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284
>>>>> 07:08:23.
>>>>>
>>>>> WTF??
>>>>>
>>>>> Arne
>>>>>
>>>>>
>>>> Every certificate contains a URL for a certificate revocation list (CRL).
>>>> So if a certificate is compromised, for example because its private key is
>>>> stolen, it can be revoked.
>>>>
>>>> What you are seeing is the fact that Chrome and Edge don't check the CRL
>>>> but FF does
>>>>
>>>> Dave
>>> The page https://forum.vmssoftware.com/ opens just fine for me.
>>> And I can read entries in the forum (the "Last VSCode..." post).
>>>
>>> When clicking "Login" at the top right, I get the login page.
>>> But when clicking the Login button on the login page, it just hangs.
>>>
>>> Win11 and the latest FF.
>>>
>>> FWIW...
>>>
>>> Jan-Erik.
>>
>> The good folks at VSI might have been changing things -BUT- still have a
>> potential problem.
>>
>> As of 2023-09-11 (6:07 EDT)
>>
>> This site: https://vmssoftware.com/
>> uses a certificate with an issue date of Sept-06, 2023 and employs a
>> common name of "vmssoftware.com"
>> (no problem here)
>>
>> This site: https://forum.vmssoftware.com/
>> uses a wildcard certificate with an issue date of Sept-18, 2022 and
>> employs a common name of "*.vmssoftware.com"
>> (will expire on Sept-19, 2023)
>>
>> Neil Rieck
>> Waterloo, Ontario, Canada.
>> http://neilrieck.net/OpenVMS.html
>
> Acknowledged on the forum:
>
> Thank you for reporting the issue. We already know about it and hope to
> have it fixed by the end of the day. We will let everyone know once we are
> done.
>
> Thank you,
>
> VSI Website Support Team
>
> Chris
>

I guess that is "end of the day" in one of the US time zones.
Doesn't matter, I'll wait until tomorrow (Central European time zone). :-)

On 2023-09-10, Arne Vajhøj <arne@vajhoej.dk> wrote:
> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>> There is something going on with that site.
>>
>> I tried again.
>>
>> FF gives cert revoked every time now.
>>
>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>> 7:59:59?PM.
>
> I tried via work.
>
> Chrome works.
>
> FF does not work but gives a different error:
>
> "Bad Server Certificate" and certificate expiration is 11-Nov-2284 07:08:23.
>
> WTF??
>

Chrome does a far more limited revoked check than Firefox does.

However, if that's really the expiry date, then Chrome should have
at least reported a warning because that expiry date is more than
397 days into the future.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

On 2023-09-11, Chris Townley <news@cct-net.co.uk> wrote:
>
> Acknowledged on the forum:
>
> Thank you for reporting the issue. We already know about it and hope to
> have it fixed by the end of the day. We will let everyone know once we
> are done.
>
> Thank you,
>
> VSI Website Support Team
>

I would like to know what went wrong and if it's just a certificate
screwup or whether VSI got compromised.

I hope it's just a certificate screwup, but I think VSI should confirm that.

In the meantime however, comp.os.vms continues to work just fine... :-)

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

On 2023-09-11 04:32, terry-...@glaver.org wrote:
> On Sunday, September 10, 2023 at 9:56:39 PM UTC-4, Arne Vajhøj wrote:
>> I tried again.
>>
>> FF gives cert revoked every time now.
>>
>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>> 7:59:59 PM.
>>
>> And I do not use Kaspersky.
>
> https://www.ssllabs.com/ssltest/analyze.html?d=forum.vmssoftware.com&latest reports "Revoked INSECURE". So somebody should contact VSI and ask them (if they don't see it and fix it first).

Now - when are people going to start questioning how secure this whole
certificates thing is, in the face of something as widespread and in
common use as FF and Chrome have such a different view on if a
certificate is valid or not...

Johnny

On 2023-09-11 10:02, David Wade wrote:
> On 11/09/2023 03:34, Arne Vajhøj wrote:
>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>> There is something going on with that site.
>>>
>>> I tried again.
>>>
>>> FF gives cert revoked every time now.
>>>
>>> Chrome works. And say that cert expire Tuesday, September 19, 2023 at
>>> 7:59:59 PM.
>>
>> I tried via work.
>>
>> Chrome works.
>>
>> FF does not work but gives a different error:
>>
>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284
>> 07:08:23.
>>
>> WTF??
>>
>> Arne
>>
>>
> Every certificate contains a URL for a certificate revocation list
> (CRL). So if a certificate is compromised, for example because its
> private key is stolen, it can be revoked.

What kind of broken scheme is that? You get an URL and are supposed to
check if something is ok based on this? How hard would it be to direct
that to somewhere else and fake things?

> What you are seeing is the fact that Chrome and Edge don't check the CRL
> but FF does

Which is bad, but also shows how much you can trust certificates or
sites, based on your browser approving of them.

Johnny

On 9/11/2023 10:06 AM, Johnny Billquist wrote:
> On 2023-09-11 10:02, David Wade wrote:
>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>> There is something going on with that site.
>>>>
>>>> I tried again.
>>>>
>>>> FF gives cert revoked every time now.
>>>>
>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023
>>>> at 7:59:59 PM.
>>>
>>> I tried via work.
>>>
>>> Chrome works.
>>>
>>> FF does not work but gives a different error:
>>>
>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284
>>> 07:08:23.
>>>
>>> WTF??
>>>
>>> Arne
>>>
>>>
>> Every certificate contains a URL for a certificate revocation list
>> (CRL). So if a certificate is compromised, for example because its
>> private key is stolen, it can be revoked.
>
> What kind of broken scheme is that? You get an URL and are supposed to
> check if something is ok based on this? How hard would it be to direct
> that to somewhere else and fake things?
>
>> What you are seeing is the fact that Chrome and Edge don't check the
>> CRL but FF does
>
> Which is bad, but also shows how much you can trust certificates or
> sites, based on your browser approving of them.
>

On this whole certificate thing. I have never understood why I am
expected to trust a certificate issued by someone I don't know and
have no reason to trust in the first place.

If you think that certificate someone gave you is really secure take
a look at recent papers about a safe manufacturer who gave the
government a code that opens every safe they have sold. Are you
sure there isn't a back door for your certificate? Do you trust that
the issuer wouldn't give it to someone other than you?

bill

On 11/09/2023 15:59, bill wrote:
> On 9/11/2023 10:06 AM, Johnny Billquist wrote:
>> On 2023-09-11 10:02, David Wade wrote:
>>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>>> There is something going on with that site.
>>>>>
>>>>> I tried again.
>>>>>
>>>>> FF gives cert revoked every time now.
>>>>>
>>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023
>>>>> at 7:59:59 PM.
>>>>
>>>> I tried via work.
>>>>
>>>> Chrome works.
>>>>
>>>> FF does not work but gives a different error:
>>>>
>>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284
>>>> 07:08:23.
>>>>
>>>> WTF??
>>>>
>>>> Arne
>>>>
>>>>
>>> Every certificate contains a URL for a certificate revocation list
>>> (CRL). So if a certificate is compromised, for example because its
>>> private key is stolen, it can be revoked.
>>
>> What kind of broken scheme is that? You get an URL and are supposed to
>> check if something is ok based on this? How hard would it be to direct
>> that to somewhere else and fake things?
>>
>>> What you are seeing is the fact that Chrome and Edge don't check the
>>> CRL but FF does
>>
>> Which is bad, but also shows how much you can trust certificates or
>> sites, based on your browser approving of them.
>>
>
> On this whole certificate thing.  I have never understood why I am
> expected to trust a certificate issued by someone I don't know and
> have no reason to trust in the first place.
>

How else would you arrange things?

> If you think that certificate someone gave you is really secure take
> a look at recent papers about a safe manufacturer who gave the
> government a code that opens every safe they have sold.  Are you
> sure there isn't a back door for your certificate?

Look at the uproar in the UK when the government recently asked for
this. If there were back doors the bad guys would have figured them out
and the world would be a different place.

Consider the case of TSA locks on suitcases. Its now totally pointless
locking a bag or case on a USA flight as every scroate owns a set of TSA
keys and so both the good guys and the bad guys can get in.

> Do you trust that
> the issuer wouldn't give it to someone other than you?
>

Well as an end user I don't have a certificate. When I accept an SSL
session I still trust in the certificate owner and the certificate
issuers i.e. the web site to keep their private keys private.

The issuer can give the rest of my certificate to the world. Every web
site does that whenever you initiate an SSL session. What they don't
give out is the associated private key, the secret part of the exchange.

The certificate issuer can't give that out, they never have it, is never
seen by the certificate issuer so they can't give it to any one else. Of
course if some one could determine my private key from my public key
then the could duplicate the certificate. This means as computing speeds
advance, the key lengths need to increase....

> bill
>
>

Dave

On 2023-09-11 18:09, David Wade wrote:
> On 11/09/2023 15:59, bill wrote:
>> On 9/11/2023 10:06 AM, Johnny Billquist wrote:
>>> On 2023-09-11 10:02, David Wade wrote:
>>>> On 11/09/2023 03:34, Arne Vajhøj wrote:
>>>>> On 9/10/2023 9:56 PM, Arne Vajhøj wrote:
>>>>>> There is something going on with that site.
>>>>>>
>>>>>> I tried again.
>>>>>>
>>>>>> FF gives cert revoked every time now.
>>>>>>
>>>>>> Chrome works. And say that cert expire Tuesday, September 19, 2023
>>>>>> at 7:59:59 PM.
>>>>>
>>>>> I tried via work.
>>>>>
>>>>> Chrome works.
>>>>>
>>>>> FF does not work but gives a different error:
>>>>>
>>>>> "Bad Server Certificate" and certificate expiration is 11-Nov-2284
>>>>> 07:08:23.
>>>>>
>>>>> WTF??
>>>>>
>>>>> Arne
>>>>>
>>>>>
>>>> Every certificate contains a URL for a certificate revocation list
>>>> (CRL). So if a certificate is compromised, for example because its
>>>> private key is stolen, it can be revoked.
>>>
>>> What kind of broken scheme is that? You get an URL and are supposed
>>> to check if something is ok based on this? How hard would it be to
>>> direct that to somewhere else and fake things?
>>>
>>>> What you are seeing is the fact that Chrome and Edge don't check the
>>>> CRL but FF does
>>>
>>> Which is bad, but also shows how much you can trust certificates or
>>> sites, based on your browser approving of them.
>>>
>>
>> On this whole certificate thing.  I have never understood why I am
>> expected to trust a certificate issued by someone I don't know and
>> have no reason to trust in the first place.
>>
>
> How else would you arrange things?

That is a good question. But Bill still have a point. Why should I trust
some random company just because they say so?

>> If you think that certificate someone gave you is really secure take
>> a look at recent papers about a safe manufacturer who gave the
>> government a code that opens every safe they have sold.  Are you
>> sure there isn't a back door for your certificate?
>
> Look at the uproar in the UK when the government recently asked for
> this. If there were back doors the bad guys would have figured them out
> and the world would be a different place.

How do you know they don't exist, and bad guys already have figured them
out? It's not exactly something anyone would want to admit.

> Consider the case of TSA locks on suitcases. Its now totally pointless
> locking a bag or case on a USA flight as every scroate owns a set of TSA
> keys and so both the good guys and the bad guys can get in.

Those locks have never been about safety. Or did you really think that
noone could open your suitcase and get to the content because you locked it?

Those locks are all about not having suitcases accidentally open up.
Having a 3-digit combo is just making it look fancy. They are already
extremely easy to pick.

But TSA don't care. And if you have one without the TSA bypass, they'll
just break your lock to check inside. Which would you prefer? That they
can open without damage, or open with damage?

>> Do you trust that
>> the issuer wouldn't give it to someone other than you?
>>
>
> Well as an end user I don't have a certificate. When I accept an SSL
> session I still trust in the certificate owner and the certificate
> issuers i.e. the web site to keep their private keys private.

And the issuer can potentially issue a certificate for that site or item
to anyone. You just have to trust that they don't.

> The issuer can give the rest of my certificate to the world. Every web
> site does that whenever you initiate an SSL session. What they don't
> give out is the associated private key, the secret part of the exchange.
>
> The certificate issuer can't give that out, they never have it, is never
> seen by the certificate issuer so they can't give it to any one else. Of
> course if some one could determine my private key from my public key
> then the could duplicate the certificate. This means as computing speeds
> advance, the key lengths need to increase....

It all boils down to the CA certificates. Because a CA can issue a
trusted certificate for any site. The owner of the site can't do
anything about that.

Johnny

On Monday, September 11, 2023 at 9:02:48 AM UTC-4, Simon Clubley wrote:
> On 2023-09-11, Chris Townley <ne...@cct-net.co.uk> wrote:
> >
> > Acknowledged on the forum:
> >
> > Thank you for reporting the issue. We already know about it and hope to
> > have it fixed by the end of the day. We will let everyone know once we
> > are done.
> >
> > Thank you,
> >
> > VSI Website Support Team
> >
> I would like to know what went wrong and if it's just a certificate
> screwup or whether VSI got compromised.
>
> I hope it's just a certificate screwup, but I think VSI should confirm that.
>
> In the meantime however, comp.os.vms continues to work just fine... :-)
> Simon.
>
> --
> Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
> Walking destinations on a map are further away than they appear.

I can't log in to update my VMware crash/firmware issue post to indicate
that it was a prior config change and not the update that caused the issue
;)

I'm getting connection refused from cas.vmssoftware.com

On Monday, September 11, 2023 at 1:31:02 PM UTC-4, Gary Sparkes wrote:
> I can't log in to update my VMware crash/firmware issue post to indicate
> that it was a prior config change and not the update that caused the issue
> ;)
>
> I'm getting connection refused from cas.vmssoftware.com

But hey! On the upside, Java is available on the SP now, so something to
play with while we wait :)

On 9/11/2023 10:59 AM, bill wrote:

> On this whole certificate thing. I have never understood why I am
> expected to trust a certificate issued by someone I don't know and
> have no reason to trust in the first place.

If you think about trust for a bit, you will realize that you trust many things.
And, there have been instances of that trust being misplaced.

Do you trust the groceries you purchase? What about e-coli on vegetables?

Do you trust the gas at the station to work in your car?

Do you trust traffic lights to work correctly?

Do you trust that the oxygen at the hospital isn't some poison?

Do not misunderstand, I pretty much agree with you. But life is just a series
of trust, not sure what else would work.

--
David Froble Tel: 724-529-0450
Dave Froble Enterprises, Inc. E-Mail: davef@tsoft-inc.com
DFE Ultralights, Inc.
170 Grimplin Road
Vanderbilt, PA 15486

On 2023-09-11, Johnny Billquist <bqt@softjar.se> wrote:
> On 2023-09-11 18:09, David Wade wrote:
>>
>> How else would you arrange things?
>
> That is a good question. But Bill still have a point. Why should I trust
> some random company just because they say so?
>

You already decided to trust the company when you decided to visit it.

The certificate is a way of checking that the company you are visiting
is really the company you think it is.

Also, the chain of trust does not start with a random company, but with
the root certificates in your own web browser. (And yes, that chain _can_
be compromised if an attacker is determined and resourceful enough).

>>
>> Well as an end user I don't have a certificate. When I accept an SSL
>> session I still trust in the certificate owner and the certificate
>> issuers i.e. the web site to keep their private keys private.
>
> And the issuer can potentially issue a certificate for that site or item
> to anyone. You just have to trust that they don't.
>

And when that happens (and it does sometimes happen), that issuer has just
committed suicide if it can be shown to be incompetence on the part of the
issuer. CAs have been dropped in the past from the major web browsers
because of this, but I can't remember the details.

(Other possibilities include a nation-state attack with a vector the issuer
could not reasonably have been aware of).

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

On Monday, September 11, 2023 at 10:58:31 AM UTC-7, Simon Clubley wrote:

(snip)

> And when that happens (and it does sometimes happen), that issuer has just
> committed suicide if it can be shown to be incompetence on the part of the
> issuer. CAs have been dropped in the past from the major web browsers
> because of this, but I can't remember the details.

> (Other possibilities include a nation-state attack with a vector the issuer
> could not reasonably have been aware of).

This often enough happens when there isn't much trust needed.

If I want to download some documentation, so that no personal
information is needed, why the security?

OK, I suppose someone could write fake documentation for
some product, and then fake the web site to convince me
to download it.

Also, there are some that require an account when there is
nothing that would need one. Again, downloading material
that is not special in any way.

On 9/11/2023 1:58 PM, Dave Froble wrote:
> On 9/11/2023 10:59 AM, bill wrote:
>
>> On this whole certificate thing.  I have never understood why I am
>> expected to trust a certificate issued by someone I don't know and
>> have no reason to trust in the first place.
>
> If you think about trust for a bit, you will realize that you trust many
> things.  And, there have been instances of that trust being misplaced.

There is a difference between trusting and living with.

>
> Do you trust the groceries you purchase?  What about e-coli on vegetables?

And your other choice is?

>
> Do you trust the gas at the station to work in your car?

Immediately before the last hurricane hit Florida it was made public
that more than a dozen gas stations had sold contaminated gas and the
cars with this gas in their tanks could not be relied on to evacuate.

50 some years ago my brother pulled into a gas station across from
our parents house. Filled up his Datsun 2000 Roadster. And then it
wouldn't start. He had to have it towed to his house upon dismantling
the carburetor some kind of sludge was found. Cleaning the carburetor,
draining the gas tank, flushing the fuel system and refilling the tank
fixed the problem.

Do I trust them? Of course not. But what is your other choice?

>
> Do you trust traffic lights to work correctly?

They frequently do not. I know one in Kingston, PA that to this day
has a staggered left turn timing. Unfortunately it is staggered from
the wrong side given extra time for left turns into an out-coming one
way street instead of the main street it is supposed to be for. Been
like that for over 20 years.

I trust the drivers to actually obey the lights much less.

>
> Do you trust that the oxygen at the hospital isn't some poison?

I have to admit I have never seen a report of that happening.
But, same question. In that situation, what other choice do you have?

>
> Do not misunderstand, I pretty much agree with you.  But life is just a
> series of trust, not sure what else would work.
>

The answer is to not blindly trust anyone.

bill

On Monday, September 11, 2023 at 12:16:20 PM UTC-7, bill wrote:

(snip)

> > Do you trust that the oxygen at the hospital isn't some poison?

> I have to admit I have never seen a report of that happening.
> But, same question. In that situation, what other choice do you have?
You don't watch enough scary movies.

I do remember that one, though.